Oct 01, 2014 10:23PM
People generally don?t like to be told what to do. Worse, when they have made a strong commitment to what exactly they believe to be prudent, learning that they may have miscalculated along the way can be a gut-wrenching experience. In fact, when they are forced to confront absolutes that are fundamentally different from their established beliefs, the process of working toward resolution can at times prove quite difficult. As a result, individuals in assessor or auditor roles frequently become what I term ?professional deliverers of bad news.?
Repeatable processes are science not art
Knowledge is learned, skills are practiced
Repeatable processes can lead to reasonable information security
Impersonation via phone is fraudulent identity (felony) in California and some other states
100s of hacks occur per day but Anonymous is newsworthy
1988 Morris worm shut down 1/3 of the Internet. Imagine that occurring today...
1997 Worcester Airport - wardialer use analogous to WarGames (1982)
Multiple historical cybersecurity events have been accomplished as a result of commonly known vulnerabilities that were preventable
2 ways to hack - take advantage of config problems or software vulnerabilities
Security should be common sense
Computers are more like cars than toasters, maintenance required
(Threat*Vulnerability)/Countermeasures * Value = Risk
Dedicated information security/risk management budget is better than it being a percentage of IT budget which may itself be dwarfed by relationship to total revenues
Multi-factor authentication will cost $2mil while saving $10mil in losses <-cost justification gets budget, ROI
2 teenagers in Cloverdale, California in ~2001 resulted in DoD Secretary announcing that it was experiencing significant, coordinated attack
Anonymous is akin to rodents poking heads in little holes as opposed to a great dragon. HBGary was social engineering of password as opposed to high tech hack. Persistence, but not complexity.
FUD is ok to get budget that will optimize risk levels
Cloud providers should adhere to client organizational policies, not clients to theirs. Security is not server specific.
More people die weekly from heart attacks than did from Anthrax, but Anthrax changed behavior, creating terror
Terrorism is about terror, not damages
Little things cost billions, e.g., virus attacks result in millions but are downplayed
Security is management problem, must vs. should, CEO and CIO must be in sync (preferably on must)
Real moral of Wizard of Oz - you always had what you were looking for but didn't know how to use it <-security
Train workers to use common sense
"why do we keep working so hard and accomplishing so little"
Budgets are going up, why aren't penetrations going down?
If we stopped spending, things would get immeasurably worse
Firewalls don't work? You're installing it wrong. If you're allowing everything through port 80, don't blame the firewall.
Threat landscape is changing so quickly, battefield is shifting
The problem is complex, by the time that we understand it
In '90s, installing patches and a/v would solve security. Now, Microsoft Patch Tuesday and a/v is still a focus, but good software development practices and configuration management is less so
Systems need internet access to be patched and then are exploited by bagel worm
Ranum uses unpatched Office 97 because it works
Game Over - In '00s, security was in the news and became expensive
Security professionals cried wolf too many times and became identified as a cost center despite trying to sell ROI
Cloud computing paradigm is now attractive as a result of '00s expensive security infrastructure build-outs and administration requirements
Use of thumb drives added complexity to finding data and ensuring its handling
Cloud computing builds dependency, will cost increase after dependency exists?
Unix/Linux crushed Mainframes and then price increased
Suggestion: Do projection on cost savings and perform EOY analysis to see what is realized
2010s - Regulation and Advanced Persistent Threat (APT)
Cyberwar was fought and US lost to China without knowing it was happening
Compliance monitoring and auditing adds complexities to administration and redundancies to security operations
If A trusts B and B trust C, A trusts C and does not know it
APT is frequently malware and intelligence gathering
iPads and smart phones are "gift" to next generation of security pros, "toxic love canal", executives walking around with equivalent of "h-bomb on their hip:
Advanced Threat Management operation is needed to manage organizational data threats regardless of Cloud
Tabletop risk management drill can be useful to understanding threat response. What would you do if your customer database was on eBay?
"Security is an expense that you pay to avoid a much bigger expense"
Southwest grounded all of their planes to save law suit expense and identified several other affected planes
I was watching the Early Show this morning. I know...it's a guilty pleasure. It's just newsy enough for my mornings without being Good Morning America serious or Today Show pretentious.
With the holidays upon us, a story on phishing attacks was featured. True to form, Harry Smith, was amazed by his guest as she described how she had sat in "a room full of world class experts" whom all had trouble identifying the phishing message due to its apparent authenticity.
Hmm....I'm guessing that that lost something in translation. It seems to me hard to believe that any "world class expert" would have such trouble decoding that a message indicating that the provider needs you to either reply or call with your details to "confirm" them would be anything but.
Just the same, here are some basics to think about when you get such messages, texts, calls, or even in person queries:
I once read an article in USA Today where a victim of identity theft recounted his misfortune. True to form, the experience had cost him near all of his available assets and a mountain of red tape to attempt to recover. What struck me most was that his lesson learned was that he would never again use credit cards or participate in an e-commerce transaction. Now, there is a guy walking around with a wad of cash.
Effectively, this man had shifted his risk. Where once he was prone to credit card fraud, he is now a potential mugging victim, and his identity could still be stolen.
Might he have considered subscribing to a credit monitoring service as provided by one of the major credit card bureaus (Disclosure: I am not a fan of third-party credit monitoring solutions, myself)? Might he have agreed to pay fractions of a cent per $100 to allow his credit card issuers to monitor the accounts for fraud? Could he have selected a bank that themselves provided fraud monitoring to its account holders? Could he have routinely reviewed his account balances and transaction history?
As we are not provided with details of the origination of the theft, might his computer have not had a basic firewall, current software patches, or updated virus protection? May he have practiced poor information disclosure habits and succumbed to either a talented social engineer or been overheard providing sensitive information by the next customer in line?
Yes. In each of these cases, yes!
Concerned with identity theft? Concerned about all those nasty hackers out there? Practice the basics. Employ major credit bureau, credit card, and bank fraud monitoring. Patch your system and run a current internet security suite. Don't share sensitive information with unauthorized third-parties and take care to reasonably protect such disclosure when it is necessary.
You've built a better mousetrap. Congratulations!
One thing - Bob needs it ahead of schedule for a very important client. Can you accelerate production?
Oh yeah, we're short on budget for this project. You're going to have to do with less.
Yeaaah....well, Sue is really a critical asset to the success of a new initiative of ours. You're going to have to do it without Sue.
Hey, this thing isn't going to hurt the anthropomorphic ones, right? We don't want any trouble with Disney.
...and we're going to need you to come in on Saturday.
Security controls are often very good conceptually. Then, the first constraint is identified and the control is still good. Then, another constraint, another, and an exception. Eventually, your mousetrap may moreso resemble a block of wood.